diff options
author | asteroide <thomas.duval@orange.com> | 2015-11-05 14:36:16 +0100 |
---|---|---|
committer | asteroide <thomas.duval@orange.com> | 2015-11-05 14:36:16 +0100 |
commit | 9861ca3857b45fc70e333fdf321102824927e813 (patch) | |
tree | dbc18e718dc5f89224789f0f61141c21fc0fc566 | |
parent | cd2aa309f52cb9c2ae8bfb5f52219b59d82d31d7 (diff) |
Change middleware behaviour because of swift requests.
Change-Id: Ibb5c25d40a2004701a20a8903e70f1a6c8704ae1
-rw-r--r-- | keystonemiddleware-moon/keystonemiddleware/authz.py | 65 |
1 files changed, 47 insertions, 18 deletions
diff --git a/keystonemiddleware-moon/keystonemiddleware/authz.py b/keystonemiddleware-moon/keystonemiddleware/authz.py index 8dbb60e9..f5f19079 100644 --- a/keystonemiddleware-moon/keystonemiddleware/authz.py +++ b/keystonemiddleware-moon/keystonemiddleware/authz.py @@ -39,24 +39,25 @@ _OPTS = [ _AUTHZ_GROUP = 'keystone_authz' CONF = cfg.CONF CONF.register_opts(_OPTS, group=_AUTHZ_GROUP) +CONF.debug = True # auth.register_conf_options(CONF, _AUTHZ_GROUP) # from http://developer.openstack.org/api-ref-objectstorage-v1.html SWIFT_API = ( - ("^/v1/(?P<account>[\w-]+)$", "GET", "get_account_details"), - ("^/v1/(?P<account>[\w-]+)$", "POST", "modify_account"), - ("^/v1/(?P<account>[\w-]+)$", "HEAD", "get_account"), - ("^/v1/(?P<account>[\w-]+)/(?P<container>[\w-]+)$", "GET", "get_container"), - ("^/v1/(?P<account>[\w-]+)/(?P<container>[\w-]+)$", "PUT", "create_container"), - ("^/v1/(?P<account>[\w-]+)/(?P<container>[\w-]+)$", "POST", "update_container_metadata"), - ("^/v1/(?P<account>[\w-]+)/(?P<container>[\w-]+)$", "DELETE", "delete_container"), - ("^/v1/(?P<account>[\w-]+)/(?P<container>[\w-]+)$", "HEAD", "get_container_metadata"), - ("^/v1/(?P<account>[\w-]+)/(?P<container>[\w-]+)/(?P<object>[\w-]+)$", "GET", "get_object"), - ("^/v1/(?P<account>[\w-]+)/(?P<container>[\w-]+)/(?P<object>[\w-]+)$", "PUT", "create_object"), - ("^/v1/(?P<account>[\w-]+)/(?P<container>[\w-]+)/(?P<object>[\w-]+)$", "COPY", "copy_object"), - ("^/v1/(?P<account>[\w-]+)/(?P<container>[\w-]+)/(?P<object>[\w-]+)$", "POST", "update_object_metadata"), - ("^/v1/(?P<account>[\w-]+)/(?P<container>[\w-]+)/(?P<object>[\w-]+)$", "DELETE", "delete_object"), - ("^/v1/(?P<account>[\w-]+)/(?P<container>[\w-]+)/(?P<object>[\w-]+)$", "HEAD", "get_object_metadata"), + ("^/v1/(?P<account>[\w_-]+)$", "GET", "get_account_details"), + ("^/v1/(?P<account>[\w_-]+)$", "POST", "modify_account"), + ("^/v1/(?P<account>[\w_-]+)$", "HEAD", "get_account"), + ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)$", "GET", "get_container"), + ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)$", "PUT", "create_container"), + ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)$", "POST", "update_container_metadata"), + ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)$", "DELETE", "delete_container"), + ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)$", "HEAD", "get_container_metadata"), + ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)/(?P<object>.+)$", "GET", "get_object"), + ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)/(?P<object>.+)$", "PUT", "create_object"), + ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)/(?P<object>.+)$", "COPY", "copy_object"), + ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)/(?P<object>.+)$", "POST", "update_object_metadata"), + ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)/(?P<object>.+)$", "DELETE", "delete_object"), + ("^/v1/(?P<account>[\w_-]+)/(?P<container>[\w-]+)/(?P<object>.+)$", "HEAD", "get_object_metadata"), ) @@ -269,6 +270,21 @@ class AuthZProtocol(object): for api in SWIFT_API: if re.match(api[0], path) and method == api[1]: action = api[2] + length = int(env.get('CONTENT_LENGTH', '0')) + # TODO (dthom): compute for Nova, Cinder, Neutron, ... + _action = "" + if length > 0: + try: + sub_action_object = env['wsgi.input'].read(length) + self.input = sub_action_object + _action = json.loads(sub_action_object).keys()[0] + body = StringIO(sub_action_object) + env['wsgi.input'] = body + self._LOG.debug("wsgi.input={}".format(_action)) + except ValueError: + self._LOG.error("Error in decoding sub-action") + except Exception as e: + self._LOG.error(str(e)) return action @staticmethod @@ -293,7 +309,7 @@ class AuthZProtocol(object): return elif component == "swift": # remove the "/v1/" part of the URL - return env.get("PATH_INFO").split("/", 2)[-1].replace("/", "-") + return env.get("PATH_INFO").split("/", 2)[-1].replace("/", "-").replace(".", "-") return "unknown" def __call__(self, env, start_response): @@ -306,25 +322,38 @@ class AuthZProtocol(object): # return self._app(env, start_response) subject_id = env.get("HTTP_X_USER_ID") + if not subject_id: + self._LOG.warning("No subject_id found for {}".format(env.get("PATH_INFO"))) + return self._app(env, start_response) tenant_id = env.get("HTTP_X_TENANT_ID") + if not tenant_id: + self._LOG.warning("No tenant_id found for {}".format(env.get("PATH_INFO"))) + return self._app(env, start_response) component = self._find_openstack_component(env) action_id = self._get_action(env, component) + self._LOG.debug("\033[1m\033[31mrequest={}\033[m".format(env["PATH_INFO"])) if action_id: object_id = self._get_object(env, component) if not object_id: object_id = "servers" + self._LOG.debug("object_id={}".format(object_id)) self.__set_token() resp = self._get_authz_from_moon(self.x_subject_token, tenant_id, subject_id, object_id, action_id) self.__unset_token() if resp.status_code == 200: answer = json.loads(resp.content) + self._LOG.debug("action_id={}/{}".format(component, action_id)) self._LOG.debug(answer) if "authz" in answer and answer["authz"]: return self._app(env, start_response) + self._LOG.error("You are not authorized to do that! ({})".format(unicode(answer["comment"]))) raise exception.Unauthorized(message="You are not authorized to do that! ({})".format(unicode(answer["comment"]))) - self._LOG.debug("No action_id found for {}".format(env.get("PATH_INFO"))) - # If action is not found, we can't raise an exception because a lots of action is missing - # in function self._get_action, it is not possible to get them all. + else: + self._LOG.error("Unable to request Moon ({}: {})".format(resp.status_code, resp.reason)) + else: + self._LOG.debug("No action_id found for {}".format(env.get("PATH_INFO"))) + # If action is not found, we can't raise an exception because a lots of action is missing + # in function self._get_action, it is not possible to get them all. return self._app(env, start_response) # raise exception.Unauthorized(message="You are not authorized to do that!") |